Have you noticed that your Windows server or Windows XP machine is acting strange recently? Laggy system? Strange warnings? Services gone wild? It is possible that infection is ruining your day. This post will guide you through basic steps how to prevent infection or deal with it, if it is too late.
PREVENTION
* Keep up to date *
First thing you must do to guard your Windows server – keep it updated! Make sure you have latest service pack and security updates for your server. Updates can be downloaded directly from Windows Update (manually or scheduled) or through your WSUS (Windows server update services) server. You can get more information about WSUS server here . Keep it up to date and chance to get infected or hacked will decrease significantly.
* Access control *
Do you know who, when and with what permissions can access you server? Make that kind of list and setup logging for these users. Keep your server in secured room with limited access to authorized personnel only.
* Install Antivirus software *
To guard your server against possible threats you need decent antivirus software. There are many antivirus products on market and it can be hard to choose the best one. Lets talk straight… There is no really good free antivirus which can handle most infections, have great background auto scanning engine and all other features needed for normal server protection. I can suggest Symantec and AVG products. But you must do research on your own and choose product that suits you.
* Firewall is a must *
I guess there is no need to keep all 65535 ports opened on your server. Make a list of ports you`ll need to access and block unneeded ones with your firewall. It can be hardware firewall solution or software product. Personally i am using IpSec to block unwanted traffic to and from my servers. Note that build in Windows server 2003 firewall can control only incoming traffic. Also keep logging you firewall to see what possible threats you are dealing with.
* Monitoring *
Monitor your server. If you are equipped with intelligent monitoring solution you can see changes in server behavior very quickly. Personally i use Nagios and Microsoft Operations Manager to monitor my servers. Nagios for front line and MOM for more comprehensive monitoring.
*******************************************************************************************************************************
CLEAN INFECTION
If your server is infected follow these steps to clear it:
* Access to antivirus and update websites *
Fist of all check if you can access antivirus (Symantec , Panda and etc.) and Windows Update websites. One of infection symptoms are blocked antivirus vendor websites and inaccessible Windows Update site.
* Try to update your system *
If update website or WSUS is accessible try to update your system to install latest service packs and security updates.
* Disable network connection *
It can be that the source of infection is another infected computer on the network. Anyway it is highly recommended to be offline until the infection will be purged from your server.
* Run Full Antivirus/Antispyware scan *
If you have antivirus software installed on infected server it seems that it was bad choice. Anyway start full scan on the infected system.
Anyway i would recommend to get another antivirus product if possible with up to date databases and run it on infected system.
If your server is in really bad shape and new antivirus installations are impossible, old antivirus cant be started – create bootable antivirus CD disk with latest updates and boot your server from it to clear infection.
* Check Start Up programs *
You must check locations where programs are set to start automatically after server reboot for infected executables and delete them if antivirus software cant manage it.
Open registry editor and check these locations:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Check if you can see any unknown executables in the right pane that must be prevented from starting. You can search for this information in google from another computer by typing the name of executable.
To check another popular place open Start>Run, type msconfig and press OK. Select “Startup” tab and review executables once more.
To simplify all this infected startups hunting you can use nice tool named “Autoruns”. It will help you to see all locations of startups at once. Tool can be downloaded from here .
* Run virus removal tool *
If you managed to identify infection name download removal tool using another computer (we are offline remember?) and run it to make sure that infection was completely removed. Tool download location can be found by googling “<infection name> removal tool” .
* Update your system! *
If you are still missing any security updates hurry and update your system before infection strikes back again. Get missing updates and install them on infected server.
* Install new antivirus software *
* Review access permissions *
* Configure firewall rules *
* Back online! *
And… KEEP IT CLEAN !
